There has been a lot of talk in the news lately about Barnaby Jack’s Jackpotting ATM’s talk he was scheduled to give at Blackhat and Defcon this year where he was going to actually jackpot (have it spit out money) a ATM live on stage. One of the articles on this can be found at risky.biz. Here is the time line of events, Barnaby does the research into ATM vulnerabilities and finds way to jackpot them. He then notifies the vendor and lets them know about the vulnerability. Vendor sits on it. Barnaby then submitted a talk to Blackhat and Defcon and the talk gets submitted and scheduled. Vendor then puts pressure on Barnaby’s employer (Juniper Networks) and gets them to postpone the talk until they the vendor fixes the issue.

I have a few issues with this. First of all, Barnaby notified the vendor and they didn’t do anything about it until they found out he was going to talk about it at Blackhat/Defcon. In my opinion, if a vendor drags their feet or ignores the issue, you should be free to announce it publicly. You are a company that makes ATM machines! Why would you sit on a vulnerability like this? Second, you put pressure on his employer to keep it from getting presented? If I understand correctly, he contacted the vendor first and then they ignore him and then go to his employer. The only thing this accomplishes is that it completely takes a crap on Barnaby. Why cant you work with him directly to get stuff done instead of putting pressure on his employer? The third problem I have with this situation is that Juniper gave in and actually made him postpone the talk. I understand it from a business point of view but why are you trying to cover someone else’s inadequacies? In my opinion, this vendor should have to take the heat that Barnaby’s talk will present to them.

It is amazing to how much press buzz Conficker has generated the past several days. Most of it revolves around the fact that we know an update will go out to it tomorrow (April 1st 2009) and people start speculating because that happens to be April Fools Day. So far up to this point, conficker hasnt done a single thing productive. It has infected millions of machines and then just sat there. I read an article from Symantec claiming that it will do nothing but harden itself. If that is the case, then why? What is the point of spending tons of time creating this worm and then let it sit there and idle? I remember not too long ago we were seeing the same behavior from storm and it just ended up that the creators were selling off sections of it to people that use it simply to DDoS, spam, and phish. Kinda disappointing in the end but in this world it is all about getting money. Will Conficker just end up blowing over like Storm (pun intended)? I am waiting for someone to release a variant of conficker that just simply downloads and runs SETI@home. It would be more useful than what it is doing now.

The Responsible Disclosure debate has been around for years on whether to notify software creators about bugs in their software (responsible disclosure) or just releasing them out to the general public to put pressure on software vendors to patch quickly. Arguments can go either way. There are some vendors that are notorious for either ignoring the problem completely, dismissing the problem as a non-issue, down play the issue, taking years to patch, or a combination of any of the above. This behavior frustrates researchers and bug finders because we just want our shit patched.

The recent hoopla around responsible Disclosure has come from some researchers announcing that they will not be giving vendors any bugs for free and will hold onto a bug/vulnerability until either they get compensated for their work or they can use it to their own advantage. One of these researchers, Charlie Miller, has already put this into action at CanSecWest’s pwn2own contest. He held onto a Safari vulnerability and was able to win the competition by owning the box in 30 seconds of the competition opening. He ended up taking home $5000 and the macbook that he owned.

This not only blurs the lines on what a 0day is but my question is “how does this help anything?” The answer to that is that it doesn’t help anyone but the guy who found it. It is basically throwing every user of that specific application or service under the buss because you are intentionally keeping this vulnerability from being patched. At this point, what differentiates you from a “Grey Hat Hacker” because you are one step away from selling the exploits on a site like the old wabisabilabi. Another question that I have is how many of these researchers will be on the job when finding these bugs/exploits? To me, it doesn’t make much sense to demand additional compensation for something you were essentially already getting paid to find.

I happened to come across a email in my inbox this morning

donotreply@blizzard.com‏
From: wowaccountadmin@blizzard.com (wowaccountadmin@blizzarid.com)
Medium riskYou may not know this sender.Mark as safe|Mark as junk
Sent: Tue 3/17/09 6:53 AM
To: xxxxxxxxxxx@xxxxxxx.com; xxxxxxxxx@xxx.com; xxxxxxxxxxxxx@xxxxxxx.com; xxxxxxxxxxxxxxxx@xxxxx.com; xxxxxxxx@xxxxxxxxx.net; xxxxxxxxx@xxxxx.com; xxxxxxxxxxxx@xxxxxxx.com; xxxxxxxx@xxxxx.com; xxxxxxxxx@xxxxxxx.com; xxxxxxxxxx@xxxxx.com; xxxxxxxxxx@xxx.com;

Greetings!
It has come to our attention that you are trying to sell/trade your personal World of Warcraft account(s).
As you may or may not be aware of, this conflicts with the EULA and Terms of Agreement.
If this proves to be true, your account can and will be disabled. It will be ongoing for further investigation by Blizzard

Entertainment’s employees.
If you wish to not get your account suspended you should immediately verify your account ownership. If the information is deemed

accurate, the investigation will be dropped.
This action is taken because we at Blizzard Entertainment take these sales
quite seriously. We need to confirm you are the original owner of the account.
This is easiest done by confirming your personal information along with concealed information about your account.
You can confirm that you are the original owner of the account by replying to this email with:

Use the following template below to verify your account and information via email.
* First and Surname
* Date of birth
* Address
* Zip code
* Phone number
* Country
* Account e-mail
* Account name
* Account password
* Secret Question and Answer or Cd-Key

If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail

informing you that we have dropped the investigation.
We ask you to NOT change password until the investigation is fully completed.
Blizzard Entertainment Inc
Account Administration Team
P.O. Box 18979, Irvine, CA 92623
Regards,
Account Administration Team
Blizzard Entertainment

I’ll admit that I almost fell for it. I was kinda panicked up until the point where asking for the account name, password and secret question/cd-key. At that point I went and double checked the from email address and realized the misspelling of blizzard.com. Just goes to show that even a very security conscious user may fall for some of these phishing attacks.

For the past few weeks I have been working on a Network Stack Fuzzer. I did a little bit of research on it trying to find ways to craft packets with the granularity that I was looking for and didnt find much. What I came up upon was Scapy. Scapy is written in python so it ended up being perfect since I had just bought a book on python with the intent on learning it. Now let me make this clear, I naturally am not a coder. I have tried to code many times in my time and most of it falls flat on its face. But I am determined to do this so I did. Over the past few weeks, I started playing with scapy and crafting various packets. Then I started into my python book and learning the basics of it. I love the fact that it doesn’t require semi-colons at the end of each line and uses white space to determine where to end conditional statements.

Once I felt I had enough basics down, it was time to actually put some of it to practical use and out of that was born FragTrain. The term “FragTrain” comes from Mike Poor in the SANS Sec503 course. The term referres to a series of fragmented packets. Currently, FragTrain does not have the capability to fragment traffic and send it down the wire but that is functionality I would like to build into it in the future. Basically all it does now is take user input (ip address to attack) and cycles through the packet headers feeding them values that will range from legal to illegal (think destination port 70000). Unfortunately right now, It is very slow. This is due to the fact that scapy takes forever to create these packets and send them down the wire. I think I am going to purchase the “Foundations of Python Network Programming” to see if I can create these packets without the assistance of scapy. We will see what happens as I keep working on it.

The blog is back up after several months of being down. I moved states because I got a new job and havent quite had the time to bring everything back up and running but here it is now! Anyway, there are some cool things that I have been working on and when I get some time, I will go ahead and post them up.

I guess the jig is up and my experament has come to a close. To fill you in, I created several (by several I mean 20-25) fake blackhat twitter accounts and started posting updates to them as like I saw on their offical twit feed. I did it to see how many people I could get following me. I am glad to say it got to 917 followers. My intent was not to anything malicious with it, just to see how many people I could get following a bogus twitter feed that looked legit. I have to give credit to Shawn Moyer and Nathan Hamiel as I never would have done it without seeing thier talk at blackhat this year. Just one note, I did get the direct message from BlackHatUSA2008 on twitter asking who I was but, I can not send you back a message unless you follow me. If Jeff Moss would like to contact me to gain control of the twitter accounts, my email address should be to your right under “About.”

Allthough this article on The Register presents almost no new information, it clames that “researchers” have found that the storm botnet is dead. I have heard these kinda stories in the past but then we always get a new wave of emails so I am not too trusting of this story. There is a tiny bit of me that wants to belive it is true since it has been pretty quiet on the storm front. Storm was very interesting and I followed the the development of it very closly since botnets were one of my very first interests. Storm definitly raised the bar as far as botnets go. If I am not mistaken, it was the first botnet to use p2p (edonkey) to communicate and encrypted all its messages making it harder to detect. No one knows for sure if it really is done but I guess we will have to see.

So, after about 6 months of studying I finally attained my GCIA certification. This test was one of the most (if not the most) difficult test I have ever taken. I payed alot of money to take the SANS course and the test for it and I am debating on if it was worth it or not since most of the questions from the test, I learned from reading the book Intrusion Detection and Prevention and not from the class itself. The class with Mike Poor was really good for a starting point. The book made a whole lot more sense because I had taken the class then it would have if I just bought the book. I am not sure if that was true because of the exposure to anylizing packets in hex but I do think it was a great starting point. But all in all, I would strongly suggest attaining this cert for anyone in the Security Industry because it gives you such a grainular and in depth look at what is physically being transmitted over the wire as well as amazing anylitical skills.

In recent world events, Russia has invaded the country of Georgia. Not only is this event very interesting from a political stand point but very interesting from a Information Security/CyberWar stand point. Prior to the actual physical invasion, Georgia was the victim of several attacks against its government websites. To date, there is no hard evidence that the russians are responsible for the cyber attacks against Georgia but aledgidly, things have been traced to Russian servers tied to organized-crime groups. But regardless of evidence, if you just look at the time line of events, it will point directly to russia.

It seems like it will start to become standard to DOS someones network/website before or durring a physical invasion (and it only makes sense). It is classic war stratigy to eliminate or disrupt an enemy’s communication system and this is just an aditional way of doing that in todays day and age.

Another interesting thing that I just came across while writing this post is this page from slate.com. Basically it outlines how this reporter became a “cyberwarrior.” If I sum it up for you, he did a very small amount of research and found a few ways to dos georgian websites. First of which is a page with very basic javascipt just loading 18 different Georgian pages in one tab of Firefox/Opera and they want you to set the browser to refresh the tab every 3-5 seconds. Low quality dos here. Another one was another script tuned into a windows executable (just as simple) to basically ping multiple times. I hope these are not the tools responsible for getting the georgian pages hosted by the likes of google. Is it something that I can launch against my site (from russian ip’s) to get google to host my sites?